Yet Another Delegation Thread
Dick Hardt
dick at sxip.com
Thu Oct 26 14:18:23 UTC 2006
On 25-Oct-06, at 12:43 PM, Josh Hoyt wrote:
>
> The primary reasons that I think it's useful to send the IdP-specific
> identifer as well:
>
> 1. The IdP is not *responsible for* doing discovery, so:
>
> * It's possible to be more efficient, since discovery is not
> duplicated by the IdP and RP. This is mostly just a nice side-effect
> and is not the primary motivation for my support.
>
> * there is one less place where spoofing discovery is a valid
> attack. If the relying party is not checking the IdP-specific
> identifier, compromising an IdP's discovery is sufficient to hijack a
> user's identifier.
If the IdP is not doing discovery per your previous comment, then
compromising the RP's discovery is sufficient hijack a user's
identifier, and it likely is easier to compromise an RP then an IdP,
and we should move complexity to IdPs to an RP all other things being
equal.
>
> * If the IdP-specific identifier is not checked by the relying
> party's discovery, the IdP MUST do discovery on every request to
> ensure that it's not making an assertion based on stale information.
Which is probably a good idea. :-)
If the IdP is sending both identifiers in a signed response, then
they both should be valid.
>
> 2. Checking the response is more strict, since ALL of the discovered
> information must be verified.
>
> Put these together, and it's my case for sending both identifiers.
I understand your case.
More information about the specs
mailing list